Verisign recently added wildcard A records for the .com and .net domains, so lookups of invalid domains no longer fail. This is playing havoc with my spam blocking software, among other things. This patch adds a new control file listing (dnscache/root/ignoreip). Any query that returns an A record to an ip listed in this file will be treated as failure. This patch isn't perfect as it relies on blocking particular IPs. I prefer Bind's implementation of delegation-only domains, but I'm not familiar enough with djbdns's code to implement it right now. Reproducible: Always Steps to Reproduce: 1.Try and connect to a non-existent site in the .net domain (www.asdfasfdafdas.net) 2. 3. Actual Results: You'll end up at Verisign's sitefinder website, which offers you the chance to by the domain. Expected Results: The query will fail, as it always has in the past.
Created attachment 17890 [details] Ebuild including ipignore patch The ipignore patch must come before the fwdzone patch or it won't apply.
Created attachment 17891 [details, diff] ignore ip patch Patch which adds the ability to ignore A records revolving to a given list of ips
Created attachment 17892 [details] Documentation file for setting up dnscache/root/ignoreip
Created attachment 17896 [details] revised ebuild to download & install patch
fefe has updated his ipv6 patch for djbdns, too. It comes now with an IPv6 version of Russ Nelson's Verisign civil disobedience patch. -> http://fefe.de/
When we update the ebuild, it may also be useful to include J.P. Larocque's script that (allegedly, I haven't tried it yet) dynamically builds a list of IP addresses that need to be ignored. There is a link to the script from the instructions in the patch itself, but, in case it saves someone some time, here is a copy-and-paste job: J.P. Larocque contributes a script which updates root/ignoreip: http://ely.ath.cx/~piranha/software/ignoreip-update/ignoreip-update-0.1
Seems like this isn't needed now that verisign changed.